CVE-2026-33517 in Mantis Bug Tracker
Summary
by MITRE • 03/23/2026
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33517 affects Mantis Bug Tracker version 2.28.0, specifically within the tag deletion functionality exposed through the tag_delete.php script. This issue represents a classic cross-site scripting vulnerability that arises from inadequate input sanitization and output escaping mechanisms. The flaw occurs when the system displays a confirmation message to users during the tag deletion process, failing to properly escape the tag name before rendering it in the user interface. This oversight creates an opportunity for malicious actors to inject arbitrary HTML content and potentially execute JavaScript code within the context of a victim's browser session.
The technical implementation of this vulnerability stems from improper handling of user-supplied data within the confirmation message generation process. When a user attempts to delete a tag, the system constructs a message that includes the tag name without adequate sanitization. The vulnerability is particularly concerning because it follows a well-established pattern of reflected cross-site scripting attacks where attacker-controlled input flows directly into the application's output. This flaw aligns with CWE-79 which categorizes cross-site scripting vulnerabilities as a critical security weakness in web applications. The vulnerability is further exacerbated by the fact that modern web applications often implement Content Security Policies that may inadvertently permit script execution if the attacker can successfully inject malicious content into the page.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it provides attackers with the capability to execute arbitrary JavaScript code within the context of authenticated user sessions. This means that an attacker who successfully exploits this vulnerability could potentially access sensitive project data, modify issue tracking information, or even escalate privileges within the application. The attack vector requires minimal user interaction, typically involving a user navigating to a specially crafted URL or clicking on a malicious link that triggers the vulnerable code path. This makes the vulnerability particularly dangerous in environments where users may encounter untrusted content or where social engineering attacks are common. The vulnerability is classified under the ATT&CK framework as a technique for "Cross-Site Scripting" within the T1059.007 category, which represents the execution of malicious code through scripting languages.
The remediation for this vulnerability is straightforward and has been addressed in version 2.28.1 of Mantis Bug Tracker. The fix involves proper escaping of the tag name parameter before it is rendered in the confirmation message, ensuring that any potentially malicious HTML or script content is neutralized. Organizations can also implement the suggested workarounds, including reverting the specific commit that introduced the vulnerability or manually modifying the affected language files to remove the problematic sprintf placeholder. These mitigation strategies align with the principle of least privilege and input validation, which are fundamental security practices recommended by the OWASP Top Ten project. The vulnerability demonstrates the importance of proper output encoding in web applications and serves as a reminder that even seemingly benign functionality can become a security risk when proper input validation and sanitization are not implemented. Additionally, the fix reinforces the necessity of maintaining up-to-date security patches and implementing robust code review processes to prevent similar issues from arising in the future.